[ipv6hackers] Status on NDP Exhaustion Attacks?
owend at he.net
Wed Sep 28 07:40:31 CEST 2011
On Sep 27, 2011, at 4:59 PM, Jim Small wrote:
> Are there any new defenses for NDP Exhaustion attacks:
> I have heard that Cisco has implemented some protection against this but I haven't uncovered any specifics just yet.
> The author's recommendation was to use smaller subnets that /64s. My experience from teaching networking is that VLSM/Subnetting adds complexity and that if all host/server networks in IPv6 could be /64s it would make networking easier.
> Is there a good solution to this problem besides smaller subnets?
The primary solution is that while ND exhaustion attacks are a reality, remote ND exhaustion attacks can be mitigated with reasonable firewall rules in most cases. Unless you are a university, it's rare that you really need to defend against an internal DOS attack that doesn't yield anything other than DOS.
More information about the Ipv6hackers